Trace of Grizzly Steppe Hack on US Points to Ukrainian University Student

All information compiled below was ascertained by Finnish geopolitical researcher Petri Krohn who administrates the “A Closer Look on Syria” website and George Eliason at Washingtonblog……Here’s what Krohn and Eliason’s deep web research has led to so far regarding the “Grizzly Steppe” hacker who US authorities cited as hacking into the Vermont power grid.

1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or “PAS tool PHP web kit”. They have published a YARA signature file that allows anyone to identify it.

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.
The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format files of the indicators are available here:
GRIZZLY STEPPE Indicators (CSV)
GRIZZLY STEPPE Indicators (STIX xml)
DHS recommends that network administrators review JAR-16-20296.pdf below for more information and implement the recommendations provided.
Revisions
December 29, 2016: Initial release

2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name

Update at 1am Pacific Time, Monday morning Jan 2nd: Please note that we have published a FAQ that accompanies this report. It contains a summary of our findings and answers several other questions our readers have had. It also provides some background on our methodology. You can read it either before or after reading this report. The original report follows:

The United States government earlier this year officially accused Russia of interfering with the US elections. Earlier this year on October 7th, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement that began:

“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.”

Yesterday the Obama administration announced that they would expel 35 Russian diplomats and close two Russian facilities in the United States, among other measures, as punishment for interfering with the US 2016 election.

In addition, yesterday the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report, or JAR, compiled by the DHS and FBI, which they say attributes the election security compromises to Russian intelligence operatives that they have codenamed ‘GRIZZLY STEPPE‘.

The report that DHS and DNI released includes in its first paragraph: “This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.”

3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address aazzz@ro.ru.

5) The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address roman@pro-os.ru. The VK account has been suspended because of “suspicious activity”. (You need to be logged in to VK to see the “Author” of the application.)https://vk.com/app4714348

6) One of the sites where “Roman Alexeev” links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.https://freelancehunt.com/freelancer/aazzz.html (archive)

7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.http://pntu.edu.ua/ru/diyalnist/studentske-zhittya.html

Pic above of Jaroslav Volodimirovich Panchenko as he apears on the official site of ПолтНТУ.

Editor’s Note: An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.

More here at Washington blog on how the CrowdStrike story fell apart regarding this false flag hack:

Why Crowdstrike’s Russian Hacking Story Fell Apart- Say Hello to Fancy Bear
Posted on January 3, 2017 by George Eliason

[Preface by Washington’s Blog: As patriotic Americans, we are most concerned about what’s best for the U.S. If it’s Ukrainians – more than Russians – who are interfering with our country, we have a right to know. We are for uncovering the truth, wherever that may lead. As such, we bring you alternative voices and on-the-ground reporting. Then we let you decide what you believe.]

In the wake of the JAR-16-20296 dated December 29, 2016 about hacking and influencing the 2016 election, the need for real evidence is clear. The joint report adds nothing substantial to the October 7th report. It relies on proofs provided by the cyber security firm Crowdstrike that is clearly not on par with intelligence findings or evidence. At the top of the report is an “as is” statement showing this. The difference between Dmitri Alperovitch’s claims which are reflected in JAR-1620296 and this article is that enough evidence is provided to warrant an investigation of specific parties for the DNC hacks. The real story involves specific anti-American actors that need to be investigated for real crimes.

For instance, the malware used was an out-dated version just waiting to be found. The one other interesting point is that the Russian malware called Grizzly Steppe is from Ukraine. How did Crowdstrike miss this when it is their business to know? Later in this article you’ll meet and know a little more about the real “Fancy Bear and Cozy Bear.” The bar for identification set by Crowdstrike has never been able to get beyond words like probably, maybe, could be, or should be, in their attribution.

The article is lengthy because the facts need to be in one place. The bar Dimitri Alperovitch set for identifying the hackers involved is that low. Other than asking America to trust them, how many solid facts has Alperovitch provided to back his claim of Russian involvement? The December 29th JAR adds a flowchart that shows how a basic phishing hack is performed. It doesn’t add anything significant beyond that. Noticeably, they use both their designation APT 28 and APT 29 as well as the Crowdstrike labels of Fancy Bear and Cozy Bear separately. This is important because information from outside intelligence agencies has the value of rumor or unsubstantiated information at best according to policy. Usable intelligence needs to be free from partisan politics and verifiable. Intel agencies noted back in the early 90’s that every private actor in the information game was radically political.